@stephenw10 Yeah, thats what I would like to do... I imagine I could do something like screen-scrape if needed...was hoping there would be something...

@jknott Thanks, very interesting.

No not two NICs, two interfaces, which can be a VLAN. Interestingly the SG-1100 only has one NIC anyway. It uses VLANs internally to create 3 separated interfaces. Steve

@mer said in SG 6100 is worth to buy?: Funny how the whole system is governed by the smallest bandwidth. Exactly. But as you say more ISPs are starting to offer connections in the 1-2Gbps range where 2.5G NICs (at least) are required.

Mmm, interesting. Thanks for following up.

No. The point of using the internal interface abstraction names like that is that there is only one reference between OPT1 and the physical interface. When you re-assign it to the new NIC all the rules on it will follow that. Steve

@srytryagn oh... and just so you completely understand the 1100 doesn't come with any WiFi access points. It's a wired device.

@stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?: I cannot judge the relavance of the vulnerability for pfSense users. That is the big question for sure.. The analysis is still underway at nist https://nvd.nist.gov/vuln/detail/CVE-2021-3712 This vulnerability is currently awaiting analysis. The key really being "If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit." Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc So when netgate/pfsense feels its prudent sure they will make it available. edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest. Here is the article if interested https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/

Let me try to replicate it with the values I have first.

@johnpoz said in How to avoid bridge?: You have this? What sfps do you have in it? I have a few SFP+ WDM12-R20/WDM13-R20 for fiber and S-RJ01 for RJ45 (pic above). My main problem is that one of my pfSense interfaces comes from my IPTV router and goes to my TV boxes. I get IPTV signal on all devices. On pfSense with option "Allow packets with IP options to pass." it goes perfectly fine but if I use my CRS317 instead I get no signal flowing from one SFP to another.... that's why I gave up on CRS switching... [image: 1630001319342-img-6163.jpg]

@gertjan Thank you for your reply. Sorry for taking so long to get back to you. I've just renamed the file to .old, re-enabled graphing and everything is back and working. Thanks for your help. Chris.

@jknott Yep. I had tried, but that didn't work. No connection. No ping, no nothing. Reported elsewhere. ARP or what, no clue yet. Had to (1) re-allocate interfaces (in this case, swapping). Trouble is also physical access, after a reboot. Crawling into some dungeons. The box has neither monitor nor keyboard. No, it must be pre-set. (Don't want to whine about 'good old days', and yet, my former Soekris/m0n0wall was just running along. Power off - power on and I had access through the web interface for everything else. Have tried hard, but not found anything on the same level of ease and reliability. Well, updates and performance made it a no-go.)

The config file is in /cf/conf/config.xml. If you edit it live you often have to remove the cached copy: https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html#edit-in-place But I would recommend exporting it from Diag > Backup, editing it and then restoring it again. The system will reboot into the modified config. Steve

@bygiuse said in Transfer sw configuration to an hw appliance: do you think it's possible to transfer the xml backup file from the Server installation to a dedicated netgate hardware appliance? Yes. Depending on the appliance you may need some modification but we can help with that. Most config imports only require re-assigning the interfaces though. Steve

Yes, that sounds like what's happening. Of course with the switch routing between the VLANs pfSense never sees it and cannot filter it. It's significantly different to the previous network setup. That Lanner is Atom D410 or D510. Not the fastest but either can run pfSense 2.5.2. Steve

@worldhopp said in SG-2100 suricata - good performance?: the 2100 is not good enough for Suricata and that it will throttle the system Any system will have it's throughput reduced by Suricata or Snort. What matters is if that reduced level is still higher than your available WAN bandwidth. It's also very hard to put any definitive numbers on it because performance can vary wildly depending on what signatures you have loaded and the detection engine settings. Steve

Thanks for the replies. I installed ChronyControl on both my Macs and disabled the inbuilt NTP client and it seems to be working. Unfortunately I don't have enough time to investigate it all much further now, and in any case I like the functionality that ChronyControl brings so will stick with that for now.

@knight said in Trying to add serial card, does not get recognized...: (in reference to your latest avatar... ) Yah, thought I'd update it a bit... how shitty the internet is here (Hungary) I forgot this is DOCSIS (50/300)... - instead of GPON I already miss my chair and the rush... / RTOS

Yeah, for some reason, you can disable it globally with the loader variable and then enable it again per interface with a sysctl but not the other way around. For ix at least. Steve